Hello community, here is the log from the commit of package libxml2.1604 for openSUSE:12.1:Update checked in at 2013-04-29 10:37:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/libxml2.1604 (Old) and /work/SRC/openSUSE:12.1:Update/.libxml2.1604.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libxml2.1604", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.1:Update/.libxml2.1604.new/libxml2-python.changes 2013-04-29 10:37:09.000000000 +0200 @@ -0,0 +1,1458 @@ +------------------------------------------------------------------- +Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de + +- update to libxml-2.7.8+git20110708 + - several important bugfixes + +------------------------------------------------------------------- +Mon Dec 6 09:05:53 UTC 2010 - coolo@novell.com + +- buildrequire python-xml to fix build + +------------------------------------------------------------------- +Fri Dec 3 12:24:42 UTC 2010 - puzel@novell.com + +- update to libxml-2.7.8 + - number of bufixes, documentation and portability fixes + - update language ID parser to RFC 5646 + - sort python generated stubs + - add an HTML parser option to avoid a default doctype + - see http://xmlsoft.org/news.html for exact details +- clean up specfile + +------------------------------------------------------------------- +Wed Apr 7 16:34:29 UTC 2010 - coolo@novell.com + +- fix build + +------------------------------------------------------------------- +Tue Mar 23 23:46:00 CET 2010 - mrdocs@opensuse.org + +- update to 2.7.7 +- add extra options to ./configure for scribus features and avoid a crash +- updates from 2.7.3 > 2.7.7 include a number of portability, correctness + memory leaks and build fixes including some CVE +- see http://xmlsoft.org/news.html for exact details + +------------------------------------------------------------------- +Tue Dec 15 12:19:16 CET 2009 - jengelh@medozas.de + +- enable parallel building + +------------------------------------------------------------------- +Thu Mar 19 10:16:50 CET 2009 - prusnak@suse.cz + +- updated to 2.7.2 + * Portability fix: fix solaris compilation problem, + fix compilation if XPath is not configured in + * Bug fixes: nasty entity bug introduced in 2.7.0, restore old + behaviour when saving an HTML doc with an xml dump function, + HTML UTF-8 parsing bug, fix reader custom error handlers + (Riccardo Scussat) + * Improvement: xmlSave options for more flexibility to save + as XML/HTML/XHTML, handle leading BOM in HTML documents +- updated to 2.7.3 + * Build fix: fix build when HTML support is not included. + * Bug fixes: avoid memory overflow in gigantic text nodes, + indentation problem on the writed (Rob Richards), + xmlAddChildList pointer problem (Rob Richards and Kevin Milburn), + xmlAddChild problem with attribute (Rob Richards and Kris Breuker), + avoid a memory leak in an edge case (Daniel Zimmermann), + deallocate some pthread data (Alex Ott). + * Improvements: configure option to avoid rebuilding docs + (Adrian Bunk), limit text nodes to 10MB max by default, + add element traversal APIs, add a parser option to enable + pre 2.7 SAX behavior (Rob Richards), + add gcc malloc checking (Marcus Meissner), + add gcc printf like functions parameters checking (Marcus Meissner). +- dropped obsoleted patches: + * alloc_size.patch (mainline) + * CVE-2008-4225.patch (mainline) + * CVE-2008-4226.patch (mainline) + * CVE-2008-4409.patch (mainline) + * oldsax.patch (mainline) + * pritnf.patch (mainline) + * xmlsave.patch (mainline) + +------------------------------------------------------------------- +Mon Jan 12 17:21:59 CET 2009 - prusnak@suse.cz + +- added oldsax.patch to enable pre 2.7.0 sax behaviour [bnc#457056] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Tue Nov 25 16:00:27 CET 2008 - prusnak@suse.cz + +- fix broken xmlsave (xmlsave.patch) [bnc#437203] + +------------------------------------------------------------------- +Tue Nov 18 16:24:39 CET 2008 - prusnak@suse.cz + +- fixed CVE-2008-4225 [bnc#445677] + +------------------------------------------------------------------- +Thu Nov 6 12:02:25 CET 2008 - prusnak@suse.cz + +- fixed CVE-2008-4226 [bnc#441368] + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Mon Oct 6 14:50:38 CEST 2008 - prusnak@suse.cz + +- fixed CVE-2008-4409 [bnc#432486] + +------------------------------------------------------------------- +Tue Sep 9 17:01:12 CEST 2008 - meissner@suse.de + +- added GCC attribute alloc_size markup (alloc_size.patch) + +------------------------------------------------------------------- +Wed Sep 3 16:58:23 CEST 2008 - prusnak@suse.cz + +- updated to 2.7.1 + * Portability fix: Borland C fix (Moritz Both) + * Bug fixes: python serialization wrappers, XPath QName corner + case handking and leaks (Martin) + * Improvement: extend the xmlSave to handle HTML documents and trees + * Cleanup: python serialization wrappers + +------------------------------------------------------------------- +Wed Sep 3 16:57:46 CEST 2008 - prusnak@suse.cz + +- updated to 2.7.0 + * Documentation: switch ChangeLog to UTF-8, improve mutithreads and + xmlParserCleanup docs + * Portability fixes: Older Win32 platforms (Rob Richards), MSVC + porting fix (Rob Richards), Mac OS X regression tests (Sven Herzberg), + non GNUCC builds (Rob Richards), compilation on Haiku (Andreas Färber) + * Bug fixes: various realloc problems (Ashwin), potential double-free + (Ashwin), regexp crash, icrash with invalid whitespace facets (Rob + Richards), pattern fix when streaming (William Brack), various XML + parsing and validation fixes based on the W3C regression tests, reader + tree skipping function fix (Ashwin), Schemas regexps escaping fix + (Volker Grabsch), handling of entity push errors (Ashwin), fix a slowdown + when encoder cant serialize characters on output + * Code cleanup: compilation fix without the reader, without the output + (Robert Schwebel), python whitespace (Martin), many space/tabs cleanups, + serious cleanup of the entity handling code + * Improvement: switch parser to XML-1.0 5th edition, add parsing flags + for old versions, switch URI parsing to RFC 3986, + add xmlSchemaValidCtxtGetParserCtxt (Holger Kaelberer), + new hashing functions for dictionnaries (based on Stefan Behnel work), + improve handling of misplaced html/head/body in HTML parser, better + regression test tools and code coverage display, better algorithms + to detect various versions of the billion laughts attacks, make + arbitrary parser limits avoidable as a parser option +- dropped obsoleted patches: + * billion-laughs.patch (included in update) + +------------------------------------------------------------------- +Wed Aug 13 12:05:08 CEST 2008 - prusnak@suse.cz + +- fixed billion laughs vulnerability (billion-laughs.patch) [bnc#415371] + +------------------------------------------------------------------- +Fri Apr 11 14:34:30 CEST 2008 - prusnak@suse.cz + +- updated to 2.6.32 + * Documentation: + - returning heap memory to kernel (Wolfram Sang) + - trying to clarify xmlCleanupParser() use + - xmlXPathContext improvement (Jack Jansen) + - improve the *Recover* functions documentation + - XmlNodeType doc link fix (Martijn Arts) + * Bug fixes: + - internal subset memory leak (Ashwin) + - avoid problem with paths starting with // (Petr Sumbera) + - streaming XSD validation callback patches (Ashwin) + - fix redirection on port other than 80 (William Brack) + - SAX2 leak (Ashwin) + - XInclude fragment of own document (Chris Ryan) + - regexp bug with '.' (Andrew Tosh) + - flush the writer at the end of the document (Alfred Mickautsch) + - output I/O bug fix (William Brack) + - writer CDATA output after a text node (Alex Khesin) + - UTF-16 encoding detection (William Brack) + - fix handling of empty CDATA nodes for Safari team + - python binding problem with namespace nodes + - improve HTML parsing (Arnold Hendriks) + - regexp automata build bug + - memory leak fix (Vasily Chekalkin) + - XSD test crash + - weird system parameter entity parsing problem + - allow save to file:///X/ windows paths + - various attribute normalisation problems + - externalSubsetSplit fix (Ashwin) + - attribute redefinition in the DTD (Ashwin) + - fix in char ref parsing check (Alex Khesin) + - many out of memory handling fixes (Ashwin) ++++ 1261 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.libxml2.1604.new/libxml2-python.changes New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.1:Update/.libxml2.1604.new/libxml2.changes 2013-04-29 10:37:10.000000000 +0200 @@ -0,0 +1,1547 @@ +------------------------------------------------------------------- +Thu Mar 7 13:28:59 UTC 2013 - vcizek@suse.com + +- fix for CVE-2013-0338 (bnc#805233) + libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch + +------------------------------------------------------------------- +Fri Dec 7 10:49:11 UTC 2012 - vcizek@suse.com + +- fixed CVE-2012-5134 (bnc#793334) / libxml2-CVE-2012-5134.patch + +------------------------------------------------------------------- +Thu Jun 28 09:48:22 UTC 2012 - vcizek@suse.com + +- fixed CVE-2012-2807 (bnc#769184) + +------------------------------------------------------------------- +Wed May 30 12:26:46 UTC 2012 - vcizek@suse.com + +- fixed CVE-2011-3102 (bnc#764538) + +------------------------------------------------------------------- +Wed Feb 22 10:19:27 UTC 2012 - vcizek@suse.com + +- add fix for hash table collisions CVE-2012-0841 (bnc#748561) +- renamed tarball to .gz, as it was compressed with gzip + +------------------------------------------------------------------- +Mon Nov 28 15:31:52 UTC 2011 - vcizek@suse.com + +- add libxml2-CVE-2011-2821.patch (bnc#732787) + +------------------------------------------------------------------- +Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de + +- update to libxml-2.7.8+git20110708 + - several important bugfixes +- drop upstreamed patches: + * libxml2-CVE-2010-4494.patch + * libxml2-CVE-2011-1944.patch + * noxref.patch + * symbol-versioning.patch + +------------------------------------------------------------------- +Wed Jun 29 09:05:59 UTC 2011 - puzel@novell.com + +- add libxml2-CVE-2011-1944.patch (bnc#697372) + +------------------------------------------------------------------- +Sun Jun 5 21:36:07 UTC 2011 - cshorler@googlemail.com + +- add symbol-versioning.patch to restore 11.3 versioned symbols + +------------------------------------------------------------------- +Mon Jan 3 09:21:20 UTC 2011 - puzel@novell.com + +- add libxml2-CVE-2010-4494.patch (bnc#661471) + +------------------------------------------------------------------- +Fri Dec 3 12:09:40 UTC 2010 - puzel@novell.com + +- update to libxml-2.7.8 + - number of bufixes, documentation and portability fixes + - update language ID parser to RFC 5646 + - sort python generated stubs + - add an HTML parser option to avoid a default doctype + - see http://xmlsoft.org/news.html for exact details +- drop libxml2-xpath-ns-attr-axis.patch (in upstream) +- clean up specfile + +------------------------------------------------------------------- +Mon Nov 1 10:00:04 UTC 2010 - puzel@novell.com + +- add libxml2-xpath-ns-attr-axis.patch (bnc#648277) + +------------------------------------------------------------------- +Sat Oct 30 22:45:22 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use --disable-static + +------------------------------------------------------------------- +Mon Sep 20 11:36:31 UTC 2010 - puzel@novell.com + +- drop libxml2-largefile64.patch (revert last change) + - the issue is fixed in zlib + +------------------------------------------------------------------- +Fri Sep 17 16:28:46 UTC 2010 - puzel@novell.com + +- add libxml2-largefile64.patch (fixes build) + - debian bug#439843 + +------------------------------------------------------------------- +Wed Jul 14 20:05:00 UTC 2010 - jw@novell.com + +- added noxref.patch, + this implements a new --noxref option, which turns + validation errors about missing xrefs into warnings. + Upstreamed as https://bugzilla.gnome.org/show_bug.cgi?id=624386 + +------------------------------------------------------------------- +Sat Apr 24 09:50:01 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Tue Mar 23 23:46:00 CET 2010 - mrdocs@opensuse.org + +- update to 2.7.7 +- add extra options to ./configure for scribus features and avoid a crash +- updates from 2.7.3 > 2.7.7 include a number of portability, correctness + memory leaks and build fixes including some CVE +- see http://xmlsoft.org/news.html for exact details + +------------------------------------------------------------------- +Mon Feb 22 22:11:00 CET 2010 - mrdocs@opensuse.org + +- add sax parser option compiled in + +------------------------------------------------------------------- +Mon Dec 14 16:14:49 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- package documentation as noarch + +------------------------------------------------------------------- +Sun Aug 2 16:58:15 UTC 2009 - jansimon.moeller@opensuse.org + +- Disable the check for ARM as qemu-arm can't keep up atm. + +------------------------------------------------------------------- +Thu Mar 19 10:16:50 CET 2009 - prusnak@suse.cz + +- updated to 2.7.2 + * Portability fix: fix solaris compilation problem, + fix compilation if XPath is not configured in + * Bug fixes: nasty entity bug introduced in 2.7.0, restore old + behaviour when saving an HTML doc with an xml dump function, + HTML UTF-8 parsing bug, fix reader custom error handlers + (Riccardo Scussat) + * Improvement: xmlSave options for more flexibility to save + as XML/HTML/XHTML, handle leading BOM in HTML documents +- updated to 2.7.3 + * Build fix: fix build when HTML support is not included. + * Bug fixes: avoid memory overflow in gigantic text nodes, + indentation problem on the writed (Rob Richards), + xmlAddChildList pointer problem (Rob Richards and Kevin Milburn), + xmlAddChild problem with attribute (Rob Richards and Kris Breuker), + avoid a memory leak in an edge case (Daniel Zimmermann), + deallocate some pthread data (Alex Ott). + * Improvements: configure option to avoid rebuilding docs + (Adrian Bunk), limit text nodes to 10MB max by default, + add element traversal APIs, add a parser option to enable + pre 2.7 SAX behavior (Rob Richards), + add gcc malloc checking (Marcus Meissner), + add gcc printf like functions parameters checking (Marcus Meissner). +- dropped obsoleted patches: + * alloc_size.patch (mainline) + * CVE-2008-4225.patch (mainline) + * CVE-2008-4226.patch (mainline) + * CVE-2008-4409.patch (mainline) + * oldsax.patch (mainline) + * pritnf.patch (mainline) + * xmlsave.patch (mainline) + +------------------------------------------------------------------- +Mon Jan 12 17:21:59 CET 2009 - prusnak@suse.cz + +- added oldsax.patch to enable pre 2.7.0 sax behaviour [bnc#457056] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Tue Nov 25 16:00:27 CET 2008 - prusnak@suse.cz + +- fix broken xmlsave (xmlsave.patch) [bnc#437203] + +------------------------------------------------------------------- +Tue Nov 18 16:24:39 CET 2008 - prusnak@suse.cz + +- fixed CVE-2008-4225 [bnc#445677] + +------------------------------------------------------------------- +Thu Nov 6 12:02:25 CET 2008 - prusnak@suse.cz + +- fixed CVE-2008-4226 [bnc#441368] + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- ++++ 1350 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.libxml2.1604.new/libxml2.changes New: ---- baselibs.conf libxml2-2.7.8+git20110708.tar.gz libxml2-CVE-2011-2821.patch libxml2-CVE-2011-3102.patch libxml2-CVE-2012-0841.patch libxml2-CVE-2012-2807.patch libxml2-CVE-2012-5134.patch libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch libxml2-python-rpmlintrc libxml2-python.changes libxml2-python.spec libxml2.changes libxml2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2-python.spec ++++++ # # spec file for package libxml2-python # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libxml2-python Version: 2.7.8+git20110708 Release: 0 Summary: Python Bindings for libxml2 License: MIT Group: Development/Libraries/Python Url: http://xmlsoft.org Source: libxml2-%{version}.tar.gz Source1: libxml2-python-rpmlintrc BuildRequires: libxml2-devel BuildRequires: python-devel BuildRequires: python-xml %py_requires Requires: libxml2 = %{version} # Uncomment to save space: #NoSource: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The libxml2-python package contains a module that permits applications written in the Python programming language to use the interface supplied by the libxml2 library to manipulate XML files. This library allows manipulation of XML files. It includes support for reading, modifying, and writing XML and HTML files. There is DTD support that includes parsing and validation even with complex DTDs, either at parse time or later once the document has been modified. %prep %setup -q -n libxml2-2.7.8 %build # workaround for bnc#310196 %ifarch s390 s390x export RPM_OPT_FLAGS=${RPM_OPT_FLAGS/-O2/-O1} %endif export CFLAGS="%{optflags} -fno-strict-aliasing" %configure \ --with-fexceptions \ --with-history \ --enable-ipv6 \ --with-sax1 \ --with-regexps \ --with-threads \ --with-reader \ --with-http # use libxml2 as built by libxml2 source package mkdir .libs cp -v %{_libdir}/libxml2.la . make -C python %{?_smp_mflags} %install make -C python install \ DESTDIR=%{buildroot} \ pythondir=%{py_sitedir} \ PYTHON_SITE_PACKAGES=%{py_sitedir} # Unwanted doc stuff rm -fr %{buildroot}%{_datadir}/doc rm -f python/tests/Makefile* # #223696 rm -f %{buildroot}%{py_sitedir}/*.{la,a} %clean rm -rf %{buildroot} %files %defattr(-, root, root) %doc python/TODO %doc python/libxml2class.txt %doc python/tests %{py_sitedir}/* %changelog ++++++ libxml2.spec ++++++ # # spec file for package libxml2 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libxml2 Version: 2.7.8+git20110708 Release: 0 Summary: A Library to Manipulate XML Files License: MIT Group: System/Libraries Url: http://xmlsoft.org Source: %{name}-%{version}.tar.gz Source2: baselibs.conf Patch: libxml2-CVE-2011-2821.patch Patch1: libxml2-CVE-2012-0841.patch # PATCH-FIX-UPSTREAM CVE-2011-3102 (bnc#764538) Patch2: libxml2-CVE-2011-3102.patch Patch3: libxml2-CVE-2012-2807.patch # PATCH-FIX-UPSTREAM CVE-2012-5134 (bnc#793334) Patch4: libxml2-CVE-2012-5134.patch Patch5: libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch BuildRequires: autoconf BuildRequires: pkg-config BuildRequires: readline-devel BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: libxml2-64bit %endif %description The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. This library implements a number of existing standards related to markup languages, including the XML standard, name spaces in XML, XML Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and XML catalogs. In most cases, libxml tries to implement the specification in a rather strict way. To some extent, it provides support for the following specifications, but does not claim to implement them: DOM, FTP client, HTTP client, and SAX. The library also supports RelaxNG. Support for W3C XML Schemas is in progress. %package devel Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: glibc-devel Requires: readline-devel Requires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: libxml2-devel-64bit %endif %description devel This package contains all necessary include files and libraries needed to develop applications that require these. %package doc Summary: A Library to Manipulate XML Files Group: System/Libraries Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif %description doc The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. This library implements a number of existing standards related to markup languages, including the XML standard, name spaces in XML, XML Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and XML catalogs. In most cases, libxml tries to implement the specification in a rather strict way. To some extent, it provides support for the following specifications, but does not claim to implement them: DOM, FTP client, HTTP client, and SAX. The library also supports RelaxNG. Support for W3C XML Schemas is in progress. %prep %setup -q -n %{name}-2.7.8 %patch -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build # needed with patch3 - until it is no longer required %__autoconf %configure --disable-static \ --with-html-subdir=packages/%{name}/html \ --with-fexceptions \ --with-history \ --without-python \ --enable-ipv6 \ --with-sax1 \ --with-regexps \ --with-threads \ --with-reader \ --with-http make %{?_smp_mflags} DOC_MODULE=packages/%{name} %install %makeinstall DOC_MODULE=packages/%{name} cp -a AUTHORS NEWS README COPYING* Copyright TODO* %{buildroot}%{_docdir}/%{name}/ ln -s libxml2/libxml %{buildroot}%{_includedir}/libxml %check # qemu-arm can't keep up atm, disabling check for arm %ifnarch %arm make check %endif %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %clean rm -rf %{buildroot} %files %defattr(-, root, root) %doc %dir %{_docdir}/%{name} %doc %{_docdir}/%{name}/[ANRCT]* %{_bindir}/xmllint %{_bindir}/xmlcatalog %{_libdir}/lib*.so.* %doc %{_mandir}/man1/xmllint.1* %doc %{_mandir}/man1/xmlcatalog.1* %files devel %defattr(-, root, root) %{_bindir}/xml2-config %{_datadir}/aclocal/libxml.m4 %{_includedir}/libxml %{_includedir}/libxml2 %{_libdir}/lib*.so %{_libdir}/libxml2.la %{_libdir}/*.sh %{_libdir}/pkgconfig/*.pc %doc %{_mandir}/man1/xml2-config.1* %doc %{_mandir}/man3/libxml.3* %files doc %defattr(-, root, root) %{_datadir}/gtk-doc/html/* %doc %{_docdir}/%{name}/examples %doc %{_docdir}/%{name}/html # owning these directories prevents gtk-doc <-> libxml2 build loop: %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html %changelog ++++++ baselibs.conf ++++++ libxml2 libxml2-devel ++++++ libxml2-CVE-2011-2821.patch ++++++
From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Thu, 18 Aug 2011 09:10:13 +0000 Subject: Hardening of XPath evaluation
Add a mechanism of frame for XPath evaluation when entering a function or a scoped evaluation, also fix a potential problem in predicate evaluation. --- diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h index 1a9e30e..ddd9dd8 100644 --- a/include/libxml/xpath.h +++ b/include/libxml/xpath.h @@ -68,7 +68,8 @@ typedef enum { XPATH_UNDEF_PREFIX_ERROR, XPATH_ENCODING_ERROR, XPATH_INVALID_CHAR_ERROR, - XPATH_INVALID_CTXT + XPATH_INVALID_CTXT, + XPATH_STACK_ERROR } xmlXPathError; /* @@ -380,6 +381,8 @@ struct _xmlXPathParserContext { xmlXPathCompExprPtr comp; /* the precompiled expression */ int xptr; /* it this an XPointer expression */ xmlNodePtr ancestor; /* used for walking preceding axis */ + + int valueFrame; /* used to limit Pop on the stack */ }; /************************************************************************ diff --git a/xpath.c b/xpath.c index b59ac5a..bcee2ea 100644 --- a/xpath.c +++ b/xpath.c @@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = { "Encoding error\n", "Char out of XML range\n", "Invalid or incomplete context\n", + "Stack usage errror\n", "?? Unknown error ??\n" /* Must be last in the list! */ }; #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ @@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) { ************************************************************************/ /** + * xmlXPathSetFrame: + * @ctxt: an XPath parser context + * + * Set the callee evaluation frame + * + * Returns the previous frame value to be restored once done + */ +static int +xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { + int ret; + + if (ctxt == NULL) + return(0); + ret = ctxt->valueFrame; + ctxt->valueFrame = ctxt->valueNr; + return(ret); +} + +/** + * xmlXPathPopFrame: + * @ctxt: an XPath parser context + * @frame: the previous frame value + * + * Remove the callee evaluation frame + */ +static void +xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { + if (ctxt == NULL) + return; + if (ctxt->valueNr < ctxt->valueFrame) { + xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); + } + ctxt->valueFrame = frame; +} + +/** * valuePop: * @ctxt: an XPath evaluation context * @@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt) if ((ctxt == NULL) || (ctxt->valueNr <= 0)) return (NULL); + + if (ctxt->valueNr <= ctxt->valueFrame) { + xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); + return (NULL); + } + ctxt->valueNr--; if (ctxt->valueNr > 0) ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; @@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) { ret->valueNr = 0; ret->valueMax = 10; ret->value = NULL; + ret->valueFrame = 0; ret->context = ctxt; ret->comp = comp; @@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; xmlNodePtr oldContextNode, contextNode = NULL; xmlXPathContextPtr xpctxt = ctxt->context; + int frame; #ifdef LIBXML_XPTR_ENABLED /* @@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, */ exprOp = &ctxt->comp->steps[op->ch2]; for (i = 0; i < set->nodeNr; i++) { + xmlXPathObjectPtr tmp; + if (set->nodeTab[i] == NULL) continue; @@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, xmlXPathNodeSetAddUnique(contextObj->nodesetval, contextNode); + frame = xmlXPathSetFrame(ctxt); valuePush(ctxt, contextObj); res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); + tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { - xmlXPathObjectPtr tmp; - /* pop the result if any */ - tmp = valuePop(ctxt); - if (tmp != contextObj) { + while (tmp != contextObj) { /* * Free up the result * then pop off contextObj, which will be freed later */ xmlXPathReleaseObject(xpctxt, tmp); - valuePop(ctxt); + tmp = valuePop(ctxt); } goto evaluation_error; } + /* push the result back onto the stack */ + valuePush(ctxt, tmp); if (res) pos++; @@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) xmlXPathFunction func; const xmlChar *oldFunc, *oldFuncURI; int i; + int frame; + frame = xmlXPathSetFrame(ctxt); if (op->ch1 != -1) total += xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); @@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: parameter error\n"); ctxt->error = XPATH_INVALID_OPERAND; + xmlXPathPopFrame(ctxt, frame); return (total); } - for (i = 0; i < op->value; i++) + for (i = 0; i < op->value; i++) { if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: parameter error\n"); ctxt->error = XPATH_INVALID_OPERAND; + xmlXPathPopFrame(ctxt, frame); return (total); } + } if (op->cache != NULL) XML_CAST_FPTR(func) = op->cache; else { @@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", (char *)op->value4, (char *)op->value5); + xmlXPathPopFrame(ctxt, frame); return (total); } func = xmlXPathFunctionLookupNS(ctxt->context, @@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) func(ctxt, op->value); ctxt->context->function = oldFunc; ctxt->context->functionURI = oldFuncURI; + xmlXPathPopFrame(ctxt, frame); return (total); } case XPATH_OP_ARG: @@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) ctxt->valueNr = 0; ctxt->valueMax = 10; ctxt->value = NULL; + ctxt->valueFrame = 0; } #ifdef XPATH_STREAMING if (ctxt->comp->stream) { diff --git a/xpointer.c b/xpointer.c index 7a42d02..37afa3a 100644 --- a/xpointer.c +++ b/xpointer.c @@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { ctxt->valueNr = 0; ctxt->valueMax = 10; ctxt->value = NULL; + ctxt->valueFrame = 0; } SKIP_BLANKS; if (CUR == '/') { -- cgit v0.9.0.2 ++++++ libxml2-CVE-2011-3102.patch ++++++
From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001 From: Jüri Aedla <asd@ut.ee> Date: Mon, 07 May 2012 07:06:56 +0000 Subject: Fix an off by one pointer access
getting out of the range of memory allocated for xpointer decoding --- diff --git a/xpointer.c b/xpointer.c index 37afa3a..0b463dd 100644 --- a/xpointer.c +++ b/xpointer.c @@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) { NEXT; break; } - *cur++ = CUR; } else if (CUR == '(') { level++; - *cur++ = CUR; } else if (CUR == '^') { - NEXT; - if ((CUR == ')') || (CUR == '(') || (CUR == '^')) { - *cur++ = CUR; - } else { - *cur++ = '^'; - *cur++ = CUR; - } - } else { - *cur++ = CUR; + if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) { + NEXT; + } } + *cur++ = CUR; NEXT; } *cur = 0; -- cgit v0.9.0.2 ++++++ libxml2-CVE-2012-0841.patch ++++++
From 8973d58b7498fa5100a876815476b81fd1a2412a Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Sat, 04 Feb 2012 11:07:44 +0000 Subject: Add hash randomization to hash and dict structures
Following http://www.ocert.org/advisories/ocert-2011-003.html it seems that having hash randomization might be a good idea when using XML with untrusted data * configure.in: lookup for rand, srand and time * dict.c: add randomization to dictionaries hash tables * hash.c: add randomization to normal hash tables --- diff --git a/configure.in b/configure.in index fa80375..828b66a 100644 --- a/configure.in +++ b/configure.in @@ -512,6 +512,7 @@ AC_CHECK_FUNCS(strdup strndup strerror) AC_CHECK_FUNCS(finite isnand fp_class class fpclass) AC_CHECK_FUNCS(strftime localtime gettimeofday ftime) AC_CHECK_FUNCS(stat _stat signal) +AC_CHECK_FUNCS(rand srand time) dnl Checking the standard string functions availability AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,, diff --git a/dict.c b/dict.c index 3eff231..ae4966b 100644 --- a/dict.c +++ b/dict.c @@ -2,7 +2,7 @@ * dict.c: dictionary of reusable strings, just used to avoid allocation * and freeing operations. * - * Copyright (C) 2003 Daniel Veillard. + * Copyright (C) 2003-2012 Daniel Veillard. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -19,6 +19,28 @@ #define IN_LIBXML #include "libxml.h" +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#endif +#ifdef HAVE_TIME_H +#include <time.h> +#endif + +/* + * Following http://www.ocert.org/advisories/ocert-2011-003.html + * it seems that having hash randomization might be a good idea + * when using XML with untrusted data + * Note1: that it works correctly only if compiled with WITH_BIG_KEY + * which is the default. + * Note2: the fast function used for a small dict won't protect very + * well but since the attack is based on growing a very big hash + * list we will use the BigKey algo as soon as the hash size grows + * over MIN_DICT_SIZE so this actually works + */ +#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) +#define DICT_RANDOMIZATION +#endif + #include <string.h> #ifdef HAVE_STDINT_H #include <stdint.h> @@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t; #define WITH_BIG_KEY #ifdef WITH_BIG_KEY -#define xmlDictComputeKey(dict, name, len) \ - (((dict)->size == MIN_DICT_SIZE) ? \ - xmlDictComputeFastKey(name, len) : \ - xmlDictComputeBigKey(name, len)) - -#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ - (((prefix) == NULL) ? \ - (xmlDictComputeKey(dict, name, len)) : \ - (((dict)->size == MIN_DICT_SIZE) ? \ - xmlDictComputeFastQKey(prefix, plen, name, len) : \ - xmlDictComputeBigQKey(prefix, plen, name, len))) +#define xmlDictComputeKey(dict, name, len) \ + (((dict)->size == MIN_DICT_SIZE) ? \ + xmlDictComputeFastKey(name, len, (dict)->seed) : \ + xmlDictComputeBigKey(name, len, (dict)->seed)) + +#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ + (((prefix) == NULL) ? \ + (xmlDictComputeKey(dict, name, len)) : \ + (((dict)->size == MIN_DICT_SIZE) ? \ + xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \ + xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed))) #else /* !WITH_BIG_KEY */ -#define xmlDictComputeKey(dict, name, len) \ - xmlDictComputeFastKey(name, len) -#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ - xmlDictComputeFastQKey(prefix, plen, name, len) +#define xmlDictComputeKey(dict, name, len) \ + xmlDictComputeFastKey(name, len, (dict)->seed) +#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ + xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) #endif /* WITH_BIG_KEY */ /* @@ -98,6 +120,8 @@ struct _xmlDict { xmlDictStringsPtr strings; struct _xmlDict *subdict; + /* used for randomization */ + int seed; }; /* @@ -125,6 +149,9 @@ static int xmlInitializeDict(void) { if ((xmlDictMutex = xmlNewRMutex()) == NULL) return(0); +#ifdef DICT_RANDOMIZATION + srand(time(NULL)); +#endif xmlDictInitialized = 1; return(1); } @@ -277,13 +304,13 @@ found_pool: */ static uint32_t -xmlDictComputeBigKey(const xmlChar* data, int namelen) { +xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) { uint32_t hash; int i; if (namelen <= 0 || data == NULL) return(0); - hash = 0; + hash = seed; for (i = 0;i < namelen; i++) { hash += data[i]; @@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen) { */ static unsigned long xmlDictComputeBigQKey(const xmlChar *prefix, int plen, - const xmlChar *name, int len) + const xmlChar *name, int len, int seed) { uint32_t hash; int i; - hash = 0; + hash = seed; for (i = 0;i < plen; i++) { hash += prefix[i]; @@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *prefix, int plen, * for low hash table fill. */ static unsigned long -xmlDictComputeFastKey(const xmlChar *name, int namelen) { - unsigned long value = 0L; +xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; if (name == NULL) return(0); value = *name; @@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen) { */ static unsigned long xmlDictComputeFastQKey(const xmlChar *prefix, int plen, - const xmlChar *name, int len) + const xmlChar *name, int len, int seed) { - unsigned long value = 0L; + unsigned long value = (unsigned long) seed; if (plen == 0) value += 30 * (unsigned long) ':'; @@ -460,6 +487,11 @@ xmlDictCreate(void) { dict->subdict = NULL; if (dict->dict) { memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry)); +#ifdef DICT_RANDOMIZATION + dict->seed = rand(); +#else + dict->seed = 0; +#endif return(dict); } xmlFree(dict); @@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) { #ifdef DICT_DEBUG_PATTERNS fprintf(stderr, "R"); #endif + dict->seed = sub->seed; dict->subdict = sub; xmlDictReference(dict->subdict); } diff --git a/hash.c b/hash.c index b78bc2d..fe1424f 100644 --- a/hash.c +++ b/hash.c @@ -3,7 +3,7 @@ * * Reference: Your favorite introductory book on algorithms * - * Copyright (C) 2000 Bjorn Reese and Daniel Veillard. + * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,6 +21,22 @@ #include "libxml.h" #include <string.h> +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#endif +#ifdef HAVE_TIME_H +#include <time.h> +#endif + +/* + * Following http://www.ocert.org/advisories/ocert-2011-003.html + * it seems that having hash randomization might be a good idea + * when using XML with untrusted data + */ +#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) +#define HASH_RANDOMIZATION +#endif + #include <libxml/parser.h> #include <libxml/hash.h> #include <libxml/xmlmemory.h> @@ -31,6 +47,10 @@ /* #define DEBUG_GROW */ +#ifdef HASH_RANDOMIZATION +static int hash_initialized = 0; +#endif + /* * A single entry in the hash table */ @@ -53,6 +73,9 @@ struct _xmlHashTable { int size; int nbElems; xmlDictPtr dict; +#ifdef HASH_RANDOMIZATION + int random_seed; +#endif }; /* @@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar *name, unsigned long value = 0L; char ch; +#ifdef HASH_RANDOMIZATION + value = table->random_seed; +#endif if (name != NULL) { value += 30 * (*name); while ((ch = *name++) != 0) { @@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table, unsigned long value = 0L; char ch; +#ifdef HASH_RANDOMIZATION + value = table->random_seed; +#endif if (prefix != NULL) value += 30 * (*prefix); else @@ -156,6 +185,13 @@ xmlHashCreate(int size) { table->table = xmlMalloc(size * sizeof(xmlHashEntry)); if (table->table) { memset(table->table, 0, size * sizeof(xmlHashEntry)); +#ifdef HASH_RANDOMIZATION + if (!hash_initialized) { + srand(time(NULL)); + hash_initialized = 1; + } + table->random_seed = rand(); +#endif return(table); } xmlFree(table); -- cgit v0.9.0.2 ++++++ libxml2-CVE-2012-2807.patch ++++++
From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Tue, 17 Jul 2012 08:19:17 +0000 Subject: Fix parser local buffers size problems
--- Index: libxml2-2.7.8/parser.c =================================================================== --- libxml2-2.7.8.orig/parser.c 2011-06-05 05:42:03.000000000 +0200 +++ libxml2-2.7.8/parser.c 2012-08-01 12:23:57.532366270 +0200 @@ -40,6 +40,7 @@ #endif #include <stdlib.h> +#include <limits.h> #include <string.h> #include <stdarg.h> #include <libxml/xmlmemory.h> @@ -114,10 +115,10 @@ xmlCreateEntityParserCtxtInternal(const * parser option. */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, xmlEntityPtr ent) { - unsigned long consumed = 0; + size_t consumed = 0; if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) return (0); @@ -2581,15 +2582,17 @@ xmlParserHandlePEReference(xmlParserCtxt /* * Macro used to grow the current buffer. + * buffer##_size is expected to be a size_t + * mem_error: is expected to handle memory allocation failures */ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } /** @@ -2615,14 +2618,14 @@ xmlChar * xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; xmlChar *rep = NULL; const xmlChar *last; xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) return(NULL); @@ -2639,7 +2642,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt * allocate a translation buffer. */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; /* @@ -2659,7 +2662,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt if (val != 0) { COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { @@ -2677,7 +2680,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else { @@ -2694,8 +2697,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@ -2709,7 +2711,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt const xmlChar *cur = ent->name; buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) @@ -2737,8 +2739,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@ -2751,8 +2752,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt } else { COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } if (str < last) @@ -3756,8 +3757,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr xmlChar limit = 0; xmlChar *buf = NULL; xmlChar *rep = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@ -3779,7 +3780,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * allocate a translation buffer. */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; /* @@ -3796,7 +3797,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3805,7 +3806,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * The reparsing will be done in xmlStringGetNodeList() * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3815,7 +3816,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr buf[len++] = ';'; } } else if (val != 0) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } len += xmlCopyChar(0, &buf[len], val); @@ -3827,7 +3828,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt->nbentities += ent->owner; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if ((ctxt->replaceEntities == 0) && @@ -3855,7 +3856,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr current++; } else buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr rep = NULL; } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if (ent->content != NULL) @@ -3891,7 +3892,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr * Just output the reference */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } for (;i > 0;i--) @@ -3904,7 +3905,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr if ((len != 0) || (!normalize)) { if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - while (len > buf_size - 10) { + while (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3913,7 +3914,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr } else { in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3938,7 +3939,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr } } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf); mem_error: Index: libxml2-2.7.8/entities.c =================================================================== --- libxml2-2.7.8.orig/entities.c 2010-03-25 10:27:21.000000000 +0100 +++ libxml2-2.7.8/entities.c 2012-08-01 12:22:15.537330144 +0200 @@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml * Macro used to grow the current buffer. */ #define growBufferReentrant() { \ - buffer_size *= 2; \ - buffer = (xmlChar *) \ - xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ - if (buffer == NULL) { \ - xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ - return(NULL); \ - } \ + xmlChar *tmp; \ + size_t new_size = buffer_size *= 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ + buffer_size = new_size; \ } @@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; int html = 0; if (input == NULL) return(NULL); @@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 100) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 100 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; if (input == NULL) return(NULL); /* @@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 10) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 10 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); + xmlFree(buffer); + return(NULL); } /** ++++++ libxml2-CVE-2012-5134.patch ++++++
From 6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Mon, 29 Oct 2012 02:39:55 +0000 Subject: Fix potential out of bound access
--- Index: libxml2-2.8.0/parser.c =================================================================== --- libxml2-2.8.0.orig/parser.c 2012-05-18 09:30:30.000000000 +0200 +++ libxml2-2.8.0/parser.c 2012-12-07 12:00:57.111732279 +0100 @@ -3931,7 +3931,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr c = CUR_CHAR(l); } if ((in_space) && (normalize)) { - while (buf[len - 1] == 0x20) len--; + while ((len > 0) && (buf[len - 1] == 0x20)) len--; } buf[len] = 0; if (RAW == '<') { ++++++ libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch ++++++
From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Tue, 19 Feb 2013 10:21:49 +0800 Subject: [PATCH] Detect excessive entities expansion upon replacement
If entities expansion in the XML parser is asked for, it is possble to craft relatively small input document leading to excessive on-the-fly content generation. This patch accounts for those replacement and stop parsing after a given threshold. it can be bypassed as usual with the HUGE parser option. --- include/libxml/parser.h | 1 + parser.c | 44 ++++++++++++++++++++++++++++++++++++++------ parserInternals.c | 2 ++ 3 files changed, 41 insertions(+), 6 deletions(-) Index: libxml2-2.7.8/include/libxml/parser.h =================================================================== --- libxml2-2.7.8.orig/include/libxml/parser.h 2012-03-01 06:25:02.000000000 +0100 +++ libxml2-2.7.8/include/libxml/parser.h 2013-03-07 14:33:36.522115244 +0100 @@ -308,6 +308,7 @@ struct _xmlParserCtxt { int nodeInfoNr; /* Depth of the parsing stack */ int nodeInfoMax; /* Max depth of the parsing stack */ xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ + unsigned long sizeentcopy; /* volume of entity copy */ }; /** Index: libxml2-2.7.8/parser.c =================================================================== --- libxml2-2.7.8.orig/parser.c 2013-03-07 14:32:24.067961711 +0100 +++ libxml2-2.7.8/parser.c 2013-03-07 14:32:39.704426464 +0100 @@ -119,7 +119,7 @@ xmlCreateEntityParserCtxtInternal(const */ static int xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - xmlEntityPtr ent) + xmlEntityPtr ent, size_t replacement) { size_t consumed = 0; @@ -127,7 +127,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); - if (size != 0) { + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); + + /* + * If the volume of entity copy reaches 10 times the + * amount of parsed data and over the large text threshold + * then that's very likely to be an abuse. + */ + if (ctxt->input != NULL) { + consumed = ctxt->input->consumed + + (ctxt->input->cur - ctxt->input->base); + } + consumed += ctxt->sizeentities; + + if (replacement < XML_PARSER_NON_LINEAR * consumed) + return(0); + } else if (size != 0) { /* * Do the check based on the replacement size of the entity */ @@ -173,7 +190,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct */ return (0); } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); } @@ -2706,7 +2722,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2748,7 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -6975,7 +6991,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) xmlFreeNodeList(list); return; } - if (xmlParserEntityCheck(ctxt, 0, ent)) { + if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { xmlFreeNodeList(list); return; } @@ -7135,6 +7151,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) xmlNodePtr nw = NULL, cur, firstChild = NULL; /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + + /* * when operating on a reader, the entities definitions * are always owning the entities subtree. if (ctxt->parseMode == XML_PARSE_READER) @@ -7174,6 +7197,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) } else if (list == NULL) { xmlNodePtr nw = NULL, cur, next, last, firstChild = NULL; + + /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + /* * Copy the entity child list and make it the new * entity child list. The goal is to make sure any @@ -14339,6 +14370,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) ctxt->catalogs = NULL; ctxt->nbentities = 0; ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); if (ctxt->attsDefault != NULL) { Index: libxml2-2.7.8/parserInternals.c =================================================================== --- libxml2-2.7.8.orig/parserInternals.c 2012-03-01 06:25:02.000000000 +0100 +++ libxml2-2.7.8/parserInternals.c 2013-03-07 14:34:38.744964733 +0100 @@ -1757,6 +1757,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) ctxt->charset = XML_CHAR_ENCODING_UTF8; ctxt->catalogs = NULL; ctxt->nbentities = 0; + ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); return(0); } ++++++ libxml2-python-rpmlintrc ++++++ addFilter("spurious-executable-perm .*/usr/share/doc/packages/libxml2-python/tests/.*") -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org